- Does your art society and/or art gallery understand that it has to protect personal data relating to individuals?
- Are the administrators 'data protection aware'?
- Do they process personal information about individuals in a secure way?
- Are the officers of your art society / managers of your art gallery aware of their legal responsibilities under data protection legislation?
We all hear from time to time about the activities of fraudsters - but do we ever stop to think about how they get hold of identity information and how they might get hold of yours?
You might be taking appropriate action to safeguard your identity online and at home. But are you sure that the organisations which you give your personal data are equally careful?
Mailing lists - whether actual addresses or e-mail addresses - are bread and butter fodder for fraudsters. Organisations which engage in fraud buy and sell mailing lists all the time - and they're always on the look out for weaknesses in data protection.
In Europe, unlike the USA, there is a strict legal regime about data protection. Broadly speaking, if an individual can be identified from the data then it's personal data and is protected.
This regime is about to get a lot more strict in the UK with the introduction of the new Criminal Justice Act - this introduces new civil penalties for serious beaches of data protection principles. The new legislation gives the Office of the Information Commissioner the power to impose substantial fines on any organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.
Data protection is an area where art societies and art galleries have no option but to behave in a strictly professional and business-like way. But the sad fact is that at present rather too many don't.
It's clear to me that more than a few art societies, art galleries and other art-related organisations covered by the legislation are completely unaware of their legal obligations concerning the protection of the personal data of their members. If they're unaware, then it's very unlikely that their administrative process also comply with European data protection legislation.
Art organisations and problems with data protection
The reason I'm raising this issue today is because at the weekend I became aware of yet another art organisation which has failed to protect personal data.
Here are some examples of the sorts of failures to protect personal data which I've come across in recent times. I'm not naming the individual art societies or galleries because frankly lax practice seems to be pretty widespread and it seems invidious to name one and not others.
- An email sent to me about an event by an organisation acting on behalf of an art society disclosed its complete mailing list and all the e-mail addresses on it to everybody on that mailing list.
- Another art society recently sent me its handbook. It contained every member's name, address, telephone number and e-mail address. Apart from the fact that I don't need all of this information, it represents a fraudster's dream come true.
- An art society had a laptop stolen recently. It contained all the personal contact details of all its members. The data was not encrypted.
- A fourth (and fifth and sixth and seventh....) art society lists the home addresses and telephone numbers of all its members in the brochure for its annual exhibition.
However, I'm afraid that rationales such as "we've always done it like this and it's always been OK before" and "we're just amateurs, we don't know about these things" are no legal defence and simply do not excuse what is happening.
Ultimately, what we're talking about here is data protection and privacy - and these are matters which will be coming within the jurisdiction of criminal law in the UK in the very near future.
This blog post aims to raise awareness of this issue. If all those reading it asked their own art societies and art galleries (and themselves) the questions I am posing then maybe we might see the basics being addressed rather better than they are at present.
Data protection - what are the basics?
Unlike the USA, the right to privacy is a highly developed area of law in Europe and data protection legislation has been around for a very long time.
10 years ago an effort was made to harmonize it so that the same principles applied across all member states of the European Union (see links below for more details). The European Directive on the protection of personal data provided the basis for all national legislation.
In the UK, the Data Protection Act 1998 required all organisations which handle personal information to comply with a number of important principles regarding privacy and disclosure of information which can be used to identify an individual person.
Two sites provide accessible information about the Data Protection Act covers and what it means.
- One is that of the Office of the Information Commissioner. The Information Commissioner is the UK's independent authority set up to promote access to official information and to protect personal information. It is responsible for monitoring the implementation of the Data Protection Act (among other things) and dealing with any transgressions (for example it is in the process of serving enforcement notices on the government in relation to recent serious security breaches by the government departments covering Revenue Taxation and Defence).
- The other is Wikipedia which has got a plain English summary of what is required in Data Protection Act 1998.
But what are the eight principles for processing personal information?
Anyone who processes personal information must comply with eight principles, which make sure that personal information is:More detail about Data protection
Information Commissioner's Office: Personal Data - the basics
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
This is the Data protection Guide and Guidance. This is the place to start if you or your organisation need to review what's required and then set about implementing their requirements/recommendations if you've not done so already.
The overall priority is that personal data should not be accessible to people who don't need to know it and that personal data should not be published.
These are some particularly relevant sections
- Q: What do I need to do under the Data Protection Act? - most art societies will not need to register but do need to process personal information in accordance with the eight principles of the Act
- The exemption from notification for 'not-for-profit' organisations
This note aims to answer a number of questions regularly raised by charities and voluntary organisations about the exemption from the requirement to notify under DPA 1998 for 'not-for-profit' organisations. [NOTE - this only applies to registration with the ICO not to the rest of the obligations under the DP legislation]
- Guidance on data security breach management
This guidance sets out some of the things an organisation needs to consider in the event of a security breach. This note is not intended as legal advice, nor is it a comprehensive guide to information security. It should, however, assist organisations in deciding on an appropriate course of action if a breach occurs.
- Security of personal information
This good practice note aims to alert small and medium sized organisations to the security measures they should have in place to protect the personal information they hold.
- Data Protection Technical Guidance - Determining what is personal data
Any Art Society or organisation dealing with personal data can usefully start by considering the following when devising a potential policy and practical rules for handling personal data:
Personal data includes anything which is linked to an individual eg home address, telephone number, email address etc.
- Do collect only what is needed. Personal data capable of identifying individuals should only ever collected if it is needed and should only ever be used for the purpose for which it is collected.
- You MUST get written consent of an individual BEFORE you publish their personal data or or pass it on to anybody else. You cannot assume this and it's not good practice to make it difficult for people to tell you. Best practice is to assume a default that it cannot be published and cannot be passed on.
- Do keep personal data only for so long as it is needed. Data protection policies need to address what records must be archived, what should be destroyed and how often.
- Do keep all personal data secure - paper files as well as digital ones.
- Do make sure that personal data is only ever accessible to those with a 'need to know'.
- Do train people. Make sure all people handling personal data know and understand basic practices for protecting data.
- Do not publish personal data without consent in a brochure, leaflet, catalogue, mailing list, email distribution lists etc. without the consent of the person concerned. Do look at what practices you now need to change as a result.
- Do not assume consent. You cannot assume consent - and your data practices need to assume consent will be withheld by some people - like me! (I have a simple principle which is that I don't assume other people know how to look after my personal data so I always provide the absolute minimum and always refuse permission for it to be shared with any third parties).
- Do not send out an e-mail to a mailing list without first checking that each recipient ONLY sees their own e-mail address.
- Do not record financial details - if you can avoid it. These need extra security and you need to find out first how to encrypt them.
- Do not record personal data on a laptop. If you do then additional security provisions are required (eg encryption and/or use of a password to access data)
- Do not give personal data away. It's not yours to give - even if it's another art society member who is asking.You need a system which safeguards the personal data of all those people who do not want it to be shared. Default should always be 'do not share'. You can act as a postbox for anybody wanting to contact a third party.
- Do not sell personal data - it's not yours to sell.
- Do not exchange personal data for some benefit - it's not yours to give away. - even to a sponsor.
- Do not leave responsibility for dta protection vague. Identify who is responsible for leading on data protection - policy development and implementation. Identify the minimum to expect people to know and understand.
Q: What security measures should I have in place to protect personal information on laptops?A data protection checklist - questions to ask your art society, your art gallery and yourself
Where the information held on a laptop or other portable device could be used to cause an individual damage or distress, in particular where it contains financial or medical information, they should be encrypted. The level of protection provided by the encryption should be reviewed and updated periodically to ensure that it is sufficient if the device was lost or stolen, you may need to seek specialist technical advice. In addition to technical security, organisations must have policies on the appropriate use and security of portable devices and ensure their staff are properly trained in these. If it is brought to the Commissioner's attention that laptops that have been lost or stolen have not been protected with suitable encryption he will consider using his enforcement powers.
- Are you aware that you have a legal responsibility to protect all personal data which can identify an individual?
- Do you know and understand the eight principles of data protection?
- Have you implemented the eight principles in the way you process and store the personal data of members or people on your mailing list?
- Have the people handling personal data been trained in data protection?
- Have you ever sold the mailing list to a third party?
- Information / data privacy
- Data Protection Act 1998
- European Directive on protection of personal data
- Office of the Information Commissioner